pamd - Manage PAM Modules
New in version 2.3.
Synopsis
- Edit PAM service’s type, control, module path and module arguments. In order for a PAM rule to be modified, the type, control and module_path must match an existing rule. See man(5) pam.d for details.
Parameters
Parameter | Choices/Defaults | Comments |
---|---|---|
backup bool (added in 2.6) |
| Create a backup file including the timestamp information so you can get the original file back if you somehow clobbered it incorrectly. |
control required | The control of the PAM rule being modified. This may be a complicated control with brackets. If this is the case, be sure to put "[bracketed controls]" in quotes. The type, control and module_path all must match a rule to be modified. | |
module_arguments | When state is 'updated', the module_arguments will replace existing module_arguments. When state is 'args_absent' args matching those listed in module_arguments will be removed. When state is 'args_present' any args listed in module_arguments are added if missing from the existing rule. Furthermore, if the module argument takes a value denoted by '=', the value will be changed to that specified in module_arguments. Note that module_arguments is a list. Please see the examples for usage. | |
module_path required | The module path of the PAM rule being modified. The type, control and module_path all must match a rule to be modified. | |
name required | The name generally refers to the PAM service file to change, for example system-auth. | |
new_control | The new control to assign to the new rule. | |
new_module_path | The new module path to be assigned to the new rule. | |
new_type | The new type to assign to the new rule. | |
path | Default: "/etc/pam.d/" | This is the path to the PAM service files |
state |
| The default of 'updated' will modify an existing rule if type, control and module_path all match an existing rule. With 'before', the new rule will be inserted before a rule matching type, control and module_path. Similarly, with 'after', the new rule will be inserted after an existing rule matching type, control and module_path. With either 'before' or 'after' new_type, new_control, and new_module_path must all be specified. If state is 'args_absent' or 'args_present', new_type, new_control, and new_module_path will be ignored. State 'absent' will remove the rule. The 'absent' state was added in version 2.4 and is only available in Ansible versions >= 2.4. |
type required | The type of the PAM rule being modified. The type, control and module_path all must match a rule to be modified. |
Examples
- name: Update pamd rule's control in /etc/pam.d/system-auth pamd: name: system-auth type: auth control: required module_path: pam_faillock.so new_control: sufficient - name: Update pamd rule's complex control in /etc/pam.d/system-auth pamd: name: system-auth type: session control: '[success=1 default=ignore]' module_path: pam_succeed_if.so new_control: '[success=2 default=ignore]' - name: Insert a new rule before an existing rule pamd: name: system-auth type: auth control: required module_path: pam_faillock.so new_type: auth new_control: sufficient new_module_path: pam_faillock.so state: before - name: Insert a new rule pam_wheel.so with argument 'use_uid' after an existing rule pam_rootok.so pamd: name: su type: auth control: sufficient module_path: pam_rootok.so new_type: auth new_control: required new_module_path: pam_wheel.so module_arguments: 'use_uid' state: after - name: Remove module arguments from an existing rule pamd: name: system-auth type: auth control: required module_path: pam_faillock.so module_arguments: '' state: updated - name: Replace all module arguments in an existing rule pamd: name: system-auth type: auth control: required module_path: pam_faillock.so module_arguments: 'preauth silent deny=3 unlock_time=604800 fail_interval=900' state: updated - name: Remove specific arguments from a rule pamd: name: system-auth type: session control: '[success=1 default=ignore]' module_path: pam_succeed_if.so module_arguments: crond,quiet state: args_absent - name: Ensure specific arguments are present in a rule pamd: name: system-auth type: session control: '[success=1 default=ignore]' module_path: pam_succeed_if.so module_arguments: crond,quiet state: args_present - name: Ensure specific arguments are present in a rule (alternative) pamd: name: system-auth type: session control: '[success=1 default=ignore]' module_path: pam_succeed_if.so module_arguments: - crond - quiet state: args_present - name: Module arguments requiring commas must be listed as a Yaml list pamd: name: special-module type: account control: required module_path: pam_access.so module_arguments: - listsep=, state: args_present - name: Update specific argument value in a rule pamd: name: system-auth type: auth control: required module_path: pam_faillock.so module_arguments: 'fail_interval=300' state: args_present - name: Add pam common-auth rule for duo pamd: name: common-auth new_type: auth new_control: '[success=1 default=ignore]' new_module_path: '/lib64/security/pam_duo.so' state: after type: auth module_path: pam_sss.so control: 'requisite'
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
action string (added in 2.4) | always | That action that was taken and is one of: update_rule, insert_before_rule, insert_after_rule, args_present, args_absent, absent. Sample: update_rule |
backupdest string (added in 2.6) | success | The file name of the the backup file, if created. |
change_count int (added in 2.4) | success | How many rules were changed Sample: 1 |
dest string | success | Path to pam.d service that was changed. This is only available in Ansible version 2.3 and was removed in 2.4. Sample: /etc/pam.d/system-auth |
new_rule string (added in 2.4) | success | The changes to the rule. This was available in Ansible version 2.4 and 2.5. It was removed in 2.6. Sample: None None None sha512 shadow try_first_pass use_authtok |
updated_rule_(n) string (added in 2.4) | success | The rule(s) that was/were changed. This is only available in Ansible version 2.4 and was removed in 2.5. Sample: ['password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok'] |
Status
This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.
Maintenance
This module is flagged as community which means that it is maintained by the Ansible Community. See Module Maintenance & Support for more info.
For a list of other modules that are also maintained by the Ansible Community, see here.
Author
- Kenneth D. Evensen (@kevensen)
Hint
If you notice any issues in this documentation you can edit this document to improve it.
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.6/modules/pamd_module.html